Download Latest Version
FreshRSS 1.27.1 source code.tar.gz (4.6 MB)
Get an email when there's a new version of FreshRSS
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| FreshRSS 1.26.2 source code.tar.gz | 2025-05-03 | 4.6 MB | |
| FreshRSS 1.26.2 source code.zip | 2025-05-03 | 5.1 MB | |
| README.md | 2025-05-03 | 5.6 kB | |
| Totals: 3 Items | 9.7 MB | 0 | |
This is a security-focussed release for FreshRSS 1.26.x, addressing several CVEs (thanks @Inverle) 🛡
A few highlights ✨: * Implement JSON string concatenation with & operator * Support multiple JSON fragments in HTML+XPath+JSON mode (e.g. JSON-LD) * Multiple security fixes with CVEs * Bug fixes
Notes ℹ: * Favicons will be reconstructed automatically when feeds gets refreshed. After that, you may need to refresh your Web browser as well.
This release has been made by @Alkarex, @Frenzie, @hkcomori, @loviuz, @math-GH and newcomers @dezponia, @glyn, @Inverle, @Machou, @mikropsoft
Full changelog:
- Features
- Bug fixing
- SimplePie
- Fix support for feeds with XML preamble + DTD #7515, simplepie#914
- Merged upstream #7434
- Upstream fix simplepie#912
- Security
- Disallow
<iframe srcdoc="">#7494, CVE-2025-32015 - Disallow
<button formaction="">#7506 - Improve favicons hash to avoid favicon pollution #7505, CVE-2025-46339
- Add
Content-Security-PolicyHTTP headers to favicons #7471, CVE-2025-31136 - Web scraping forbid security HTTP headers in cURL #7496, CVE-2025-46341
- Add some HTTP headers
Referrer-Policy: same-origin#6303, #7478 - Use HTTP POST for logout #7489, CVE-2025-31482
- Make update URL read-only #7477
- Fix for extensions: Restrict valid paths in
ext.php#7479, CVE-2025-31134 - Fix for extensions: Secure serving of user files #7495
- Disallow
- Extensions
- Deployment
- Apache: add check for
mod_filterto ensure thatAddOutputFilterByTypeworks #7419
- Apache: add check for
- UI
- I18n
- Misc.
